Method and system for authenticating a device

ABSTRACT

The present invention relates to a method for authenticating a device with a wireless access point. The method includes receiving an audio signal at the device via a microphone; processing the audio signal to extract a code; using the code to authenticate the device, at least in part, with the wireless access point; and in response to the authentication, providing access to one or more network Services to the device via the wireless access point. A system and software are also disclosed.

This application is the U.S. national phase of International Application No. PCT/GB2018/050779 filed 23 Mar. 2018, which designated the U.S. and claims priority to GB Patent Application No. 1704636.8 filed 23 Mar. 2017, the entire contents of each of which are hereby incorporated by reference.

FIELD OF INVENTION

The present invention is in the field of device authentication for communications. More particularly, but not exclusively, the present invention relates to a method and system for authenticating a device with a wireless access point.

BACKGROUND

Internet of Things (IoT) devices are computing devices which do not have the form factor of a traditional PC computer and usually perform a limited set of functions such as measuring temperature, recording video or providing lighting control. They often are connected to the internet and send/receive data over a network in order to coordinate and control the behaviour of these devices from a central service.

Due to their form factor IoT devices often do not have screens or extensive user input controls, such as a keyboard. Often, but not always, user input is limited to a small number of buttons, and output reduced to a small number indicator lights.

During the initial setup process, the IoT device must be brought onto a wireless network by passing the network's credentials to the IoT device such that it can then connect directly to the wireless network via a wireless access point. This is often done by configuring a temporary wireless network on the IoT device that a second device, often a mobile phone, can connect to and then pass network credentials.

Current methods often rely on the creation of a temporary ad hoc ‘hotspot’ to be created by the offline device. Typically a device owner will place the device into a configuration mode by pressing a button or interface element. Once in configuration mode, the device will create a hotspot network to which the owner can connect an additional device. Once a wireless connection is established between the two devices, credentials can be passed from the additional device to the offline device. When the credentials have been transferred the offline device can be reconfigured to connect directly to the network.

There is a desire to make this setup process faster and simpler for the owner/user of the IoT device.

It is an object of the present invention to provide a method and system for authenticating a device with a wireless access point which overcomes the disadvantages of the prior art, or at least provides a useful alternative.

SUMMARY OF INVENTION

According to a first aspect of the invention there is provided a method for authenticating a device with a wireless access point, including:

receiving an audio signal at the device via a microphone;

processing the audio signal to extract a code;

using the code to authenticate the device, at least in part, with the wireless access point; and

in response to the authentication, providing access to one or more network services to the device via the wireless access point.

Other aspects of the invention are described within the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which:

FIG. 1 : shows a block diagram illustrating a system in accordance with an embodiment of the invention;

FIG. 2 : shows a flow diagram illustrating a method in accordance with an embodiment of the invention;

FIGS. 2 a and 2 b : shows block diagrams illustrating exemplary packet structures for the audio signal used by methods in accordance with embodiments of the invention; and

FIGS. 3 to 6 : shows diagrams illustrating methods and systems in accordance with an embodiment of the invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

The present invention provides a method and system for authenticating a device with a wireless access point.

The inventors have determined that existing methods for authenticating new network-capable devices to wireless access points are cumbersome, particularly, when the devices are not general-purpose computing devices, such as IoT devices.

The inventors have discovered that audio can be used to facilitate the authentication process by encoding information in an audio signal for receipt by a network-capable device to assist that device in authenticating itself with a wireless network. The information might include, for example, WiFi credentials.

In FIG. 1 , a system 100 in accordance with an embodiment of the invention is shown.

A wireless access point 101 is shown. The wireless access point may be configured to broadcast a SSID (Service Set IDentifier) over a wireless protocol such as 802.11 or 802.15.1. In some embodiments, instead of WiFi, the wireless access point may be Bluetooth, Zigbee, or any other wireless standard.

A network-capable device 102 is shown. The network-capable device may be a non-general purpose computing device, such as an Internet-of-Things (IoT) device. The IoT device include, for example, sensors (e.g. for sensing light, heat, humidity, electricity, liquid levels, temperature, smoke, etc.) and/or control apparatus (e.g. to control electricity, mechanical/electrical apparatus, etc.)

The network-capable device 102 may include a processor 103, a wireless communication module 104 and a microphone 105.

The processor 103 may be configured for receiving an audio signal via the microphone 105, processing the audio signal to extract a code, and using the code to authenticate the device 102 with the wireless access point 101 via the wireless communication module 104.

A router 106 is shown. The router may be configured for mediating connections between devices across a network 107. The router 106 and wireless access point 101 may be collocated within the same apparatus.

A second device 108 is shown. The second device 108 may include or be connected to a speaker 109. The device 108 may be a user device such as a mobile user device (e.g. portable computer, smartphone, or tablet), a desktop computer, a television, a radio, or a landline telephone. In one embodiment, the second device 108 is another IoT device.

The second device 108 may include a user input apparatus 110 (e.g. a physical button, a touch-pad, a touch-screen, etc.), a processor 111, a memory 112, and a communications module 113.

The second device 108 may be configured to generate an audio signal at the speaker 109 for receipt by the microphone 105 at the network-capable device 102. The audio signal may encode the code which is subsequently extracted by the network-capable device 102. The second device 108 may generate the audio signal at the speaker 109 in response to input received at the user input apparatus.

It will be appreciated by those skilled in the art that the above embodiments of the invention may be deployed on different devices and in differing architectures.

Referring to FIG. 2 , a method 200 for authenticating a device (e.g. 102) with a wireless access point (e.g. 101) in accordance with an embodiment of the invention will be described.

In step 201, an audio signal is received at the device (e.g. 102) via a microphone (e.g. 105). The audio signal may be received from a speaker (e.g. 109) at another device (e.g. 108). The code may be encoded within the audio signal via an audio protocol (such as described in US Patent Publication No. 2012/084131A1). The encoding may happen at the other device (e.g. 108) or the other device (e.g. 108) may receive an audio signal for play-back encoded at another location (e.g. server or device) which may be local or remote to the devices.

In step 202, the audio signal is processed to extract a code (e.g. at processor 103). The audio signal may be processed locally or remotely. The code may include WiFi credentials such as a SSID and passphrase for the wireless access point. In some embodiments, the code may include additional information such as user account information. The code may be encrypted. The encryption may be via symmetric or asymmetric keys. In one embodiment, the device transmits its public key which is used to encrypt the code via PKI during encoding by the other device (e.g. 108).

The code may be embedded within a packet structure within the audio signal. The packet structure may comprise one or more of a header, a payload (e.g. for the code), error correction, and a checksum. Part of the packet may be encrypted (e.g. just the payload). Exemplary packet structures are shown in FIGS. 2 a and 2 b.

In step 203, the code is used to authenticate the device, at least in part, with the wireless access point. For example, the device may utilise its wireless communications module (104) to connect to the SSID using the passphrase.

In step 204, in response to the authentication, access is provided to one or more network services to the device via the wireless access point. Partial authentication may be provided, for example, the device may utilise pre-stored identity information and/or security information to further validate itself with the wireless access point, the router, or a server to access network services.

In some embodiments, the same audio signal may be received by microphones at multiple devices, each device may process the audio signal to extract the code, and use the code, at least in part, to authenticate each device with the wireless access point. In this way, multiple devices may “onboarded” with the wireless access point at one time.

In embodiments, the device may be configured to listen for audio signals at the microphone or to process received audio signals or to use codes extracted from audio signals when the device is not authenticated with the wireless access point. That is, if the device is already authenticated, it may not continuously attempt to reauthenticate. In embodiments, where the device subsequently loses authentication (for example, if the credentials are no longer valid), it may go again into “listening mode” where audio signals received are processed and the extracted code used to authenticate.

In one embodiment, the device may go into “listening mode” for a period of time after a user actuates a user input at the device (e.g. by pressing a physical button or virtual button), or when the device is powered up.

In embodiments, the device may always be in “listening mode”.

Embodiments of the present invention will be now be described with reference to FIGS. 3 to 6 .

In one embodiment, the user provides power to the offline device. After checking its connection status, this device may automatically start listening for audio codes, this would allow the configuration mode to be entered without user input. In one embodiment, the user presses an input button to enter this mode. In one embodiment, the device is always listening for audio codes this allows the device it to respond to new codes at any point.

A second device, having the network credentials provided to it by input from the user from a network connection or by the operating system of the device is used to encode network credentials and extra arbitrary application information into audio. These credentials may comprise of SSID and password as defined by 802.11i or 802.11i-2004. This device may be physically at the same location as the offline device or may have its audio transmitted by a third channel such as a telephone line or internet streamed audio to a speaker for local audio generation. In one embodiment, the audio code recorded and subsequently played from an audio storage medium. It is understood that the encoding of the data into an audio signal, and the broadcasting of this audio signal from a loudspeaker may occur on separate devices.

The offline device, receiving audio from the credentialed device decodes the audio code and uses these credentials to connect to a wired or wireless network.

In an alternative embodiment, the user provides power to the offline device. After checking its connection status, this device may automatically start broadcasting an audio signal to request credentials from a credentialed device. This broadcast may include the device's public key. In one embodiment, the user presses an input button to enter this mode. In one embodiment, the public key is provided to the credentialed device by means of a QR code, NFC Forum compatible tag or Bluetooth connection.

A second device, having the network credentials provided to it by input from the user, from a network connection or by the operating system of the device, is used to encode network credentials and extra arbitrary application information into audio. It may encrypt this data before sending using the offline device's public key. These credentials may comprise a SSID and passphrase as defined by 802.11i or 802.11i-2004. This device may be physically at the same location as the offline device or may have its audio transmitted by a third channel such as a telephone line or internet streamed audio. In one embodiment, the audio code is recorded to and subsequently played from an audio storage medium. It is understood that the encoding of the data into an audio signal, and the broadcasting of this audio signal from a loudspeaker may occur on separate devices.

The offline device, receiving audio from the credentialed device may decode the audio code and decrypt the received data to extract network credentials. The device may use these credentials to connect to a wired or wireless network. In one embodiment, the received data are used by the offline device to share the credentials with a third device.

In one embodiment shown in FIG. 3 , a plurality of devices 300, 301 and 302 are able to receive data from a first device 303. In a consumer setting, for example, a set of multiple network connected light bulbs may be provisioned concurrently by broadcasting the network credentials from device 303 such that each lightbulb receives the audio encoded data independently.

It can be seen that, in some embodiments, in order to provide a code to the offline device, the sending device does not itself need to be connected to a network.

In one embodiment, the first device (e.g. 301 to 303) activates the microphone only if it is not connected to a wired or wireless network.

The second device (e.g. 303) may be actuated by the user of the first device (e.g. 300 to 302) to transmit the audio signal. For example, by pressing a virtual button, or a voice command. In one embodiment, the second device may transmit the audio code continuously.

The audio signal may decoded at the first device to extract a code. The code may be encoded within the audio signal via an audio protocol (such as described in US Patent Publication No. 2012/084131A1).

This encoding may use a series of pitched tones to designate each symbol in the data to be broadcast. These tones may be audible or contain only high frequencies such that they are inaudible to humans. The series of pitched tones may contain broadcast designator tones at the beginning of the series which the receiver may use to initiate the decoding sequence on the receiver. The broadcast may vary in length such that more complex credentials take more time to broadcast, and less complex credentials take less time to broadcast.

Those knowledgeable in the art will understand that pitches may be modulated by a number of encoding strategies. A preferred embodiment uses Multi-Frequency Shift Keying (MFSK). It is understood that other modulation strategies can be used, these may include Frequency Shift Keying (FSK) or Frequency Division Multiplexing techniques (FDM).

The data symbols in each broadcast may be grouped such that they designate information about the broadcast, device or may contain other information useful to the receiver to aid decoding or device functionality after the decoding of the modulated audio. The data symbols may represent the network credentials directly or may represent the network credentials in an encrypted or tokenized form. The data symbols may be grouped such that there is a checksum to validate the broadcast data integrity.

The broadcast may contain additional application information in addition to the network credentials. For example, this information may reference the device owner's account or be used by the device (e.g. 300 to 302) to configure its application code or own configuration.

It is understood that the data broadcast may contain additional data to be used by the receiving device or to be passed via the network once a connection is established. For example, the sending device may send the network credentials as well as a customer account identifier, allowing the receiving device to connect to the network using the credentials, and subsequently retrieve relevant customer account information in order to be correctly configured for use. In one embodiment, network credentials and additional configuration data are within separate acoustic broadcasts.

In FIG. 4 , the code may be used by the first device 501 to authenticate it (at least in part) with the wireless access point to access network services via the wireless access point 505. The code may be used as the out-of-band communication channel within WiFi Alliance Device Provisioning Protocol (DPP).

The code may include login credentials (for example, for an open network), and/or a wireless password (such as WPA2 or WEP). The code may include WiFi details such as the SSID (Service Set IDentifier).

The code may provide temporary or limited access to the network, further authentication steps may then be taken between the device and network access point.

In one embodiment the device 501 is able to receive audio data broadcasts continuously. Alternatively the device 501 may enable audio data functionality only when no network wired or wireless network are present.

In another embodiment shown in FIG. 5 , devices 601 without a network connection are able to signal to neighbouring devices 604 by requesting access using an audio broadcast. In this case, the requesting device 601 may include its PKI public key in the request broadcast. Nearby device 604 or devices that are within audio broadcast range and receive the request can provide network credentials to the requesting device 601.

In embodiment shown in FIG. 6 , the code may be encrypted such that login credentials are not passed in plain text form during the acoustic broadcast. In one embodiment, the credentials may be encrypted using public-private key encryption. The public key of the offline device is shared with the credentialed device. Sharing of the public key may be facilitated by the offline device using audio encoding by the offline device via a loudspeaker or by other means such as QR code or OCR. The offline device public key may also be shared to the credentialed device via an existing network connection.

Potential advantages of some embodiments of the present invention are:

-   -   Ease of use—instead of reconfiguring a mobile user device to         connect to an ad-hoc network, the user clicks one button on         their mobile user device (or has to take no action at all if the         audio plays automatically);     -   Means of inferring proximity between the devices and the user         device (the configuring device) which may increase security—as         audio is used, IoT devices will not be able to login from         adjacent rooms or buildings (even if the wifi network extends to         these locations) as the audio will not be picked up those         devices;     -   Low-cost/no additional hardware required for IoT devices as most         have microphones already;     -   Means of provisioning multiple devices in a single broadcast as         many devices within the vicinity of the credentialed device will         be able to receive network access; and     -   Offline devices may be able to request network access         automatically from neighbouring devices.

While the present invention has been illustrated by the description of the embodiments thereof, and while the embodiments have been described in considerable detail, it is not the intention of the applicant to restrict or in any way limit the scope of the appended claims to such detail. Additional advantages and modifications will readily appear to those skilled in the art. Therefore, the invention in its broader aspects is not limited to the specific details, representative apparatus and method, and illustrative examples shown and described. Accordingly, departures may be made from such details without departure from the spirit or scope of applicant's general inventive concept. 

The invention claimed is:
 1. A method for authenticating a device with a wireless access point, including: broadcasting, via a speaker included in the device, a requesting audio signal to request authentication information based on a determination that the device is not authenticated with the wireless access point, wherein the requesting audio signal encodes a public key of the device; in response to the broadcasting of the requesting audio signal, receiving, at the device via a microphone, an audio signal encoding a code encrypted based on the public key of the device; processing the audio signal to extract the code based on the public key of the device; using the code to authenticate the device, at least in part, with the wireless access point; and in response to the authentication, providing access to one or more network services to the device via the wireless access point.
 2. A method as claimed in claim 1, wherein the audio signal is received from a speaker at a second device.
 3. A method as claimed in claim 2, wherein the second device is a user device.
 4. A method as claimed in claim 2, wherein the second device is actuated by a user of the second device to generate the audio signal at the speaker.
 5. A method as claimed in claim 2, wherein the second device is triggered to generate the audio signal at the speaker by receiving the requesting audio signal from the device.
 6. A method as claimed in claim 1, wherein the code includes WiFi credentials for the wireless access point.
 7. A method as claimed in claim 6, wherein the WiFi credentials includes SSID for the wireless access point, and a password for the wireless access point.
 8. A method as claimed in claim 1, wherein the network services include Internet services.
 9. A method as claimed in claim 1, wherein the device is an IoT device.
 10. A method as claimed in claim 1, wherein the device is not a general purpose computing device.
 11. A method as claimed in claim 1, wherein the code is audibly encoded within the audio signal.
 12. A method as claimed in claim 1, wherein the code is inaudibly encoded within the audio signal.
 13. A method as claimed in claim 1, wherein a plurality of devices receive the audio signal, each device extracting the code from the audio signal, and using the code to authenticate that device, at least in part, with the wireless access point.
 14. A method as claimed in claim 1, wherein the audio signal comprises information encoded within a packet.
 15. A method as claimed in claim 14, wherein the packet includes a header, a payload and one or more selected from the set of error correction, encryption and a checksum.
 16. A method as claimed in claim 15, wherein the code is within the payload.
 17. A method as claimed in claim 1, wherein the device listens for the audio signal at the microphone when the device is not authenticated with the wireless access point.
 18. A method as claimed in claim 1, wherein the device listens for the audio signal at the microphone for a predetermine period of time when the device receives user input at the device.
 19. The method as claimed in claim 1, wherein the audio signal is processed to extract user account information and the method includes transmitting the user account information to the one or more network services via the wireless access point.
 20. The method as claimed in claim 1, wherein the audio signal is processed to extract a customer account identifier and the method further includes: retrieving customer account information from the one or more network services based on the extracted customer account identifier, and configuring the device based on the retrieved customer account information.
 21. A device comprising: a speaker; a microphone; communication circuitry; and one or more processors operatively coupled to the speaker, the microphone and the communication circuitry, and configured to: broadcast, via the speaker, a requesting audio signal to request authentication information based on a determination that the device is not authenticated with a wireless access point, wherein the requesting audio signal encodes a public key of the device; in response to the broadcasting of the requesting audio signal, receive, at the device via the microphone, an audio signal encoding a code encrypted based on the public key of the device; process the audio signal to extract the code based on the public key of the device; authenticate, via the communication circuitry, the device, at least in part, with the wireless access point based on the code; and in response to the authentication, provide access to one or more network services to the device via the communication circuitry and the wireless access point.
 22. A non-transitory computer readable medium having stored therein computer-readable instructions that, when executed by one or more processors of a device, cause the device to: broadcast, via a speaker included in the device, a requesting audio signal to request authentication information based on a determination that the device is not authenticated with a wireless access point wherein the requesting audio signal encodes a public key of the device; in response to the broadcasting of the requesting audio signal, receive, at the device via a microphone an audio signal encoding a code encrypted based on the public key of the device; process the audio signal to extract the code based on the public key of the device; authenticate the device, at least in part, with the wireless access point based on the code; and in response to the authentication, provide access to one or more network services to the device via the wireless access point. 